James Webb wrote:
James Webb wrote:
Kill Bill wrote:
Your own IP as in something from HOME_NET? Not exactly useful test either. In general, taking similar things to the forum before you have a clear bug somewhere is would be suggested.
No a public facing IPv4 address. Not from HOME_NET. This is a clear bug as IPv6 addresses are being filtered in Inline mode. IPv4 addresses were also filtered until we started testing on the pfSense 2.4 beta. No Suricata configs have changed.
Looks like you accidentally quoted a message without putting anything in the body there!
Just made an account to add that I've also experienced the same problem recently with my hardware, but decided to refrain from making a bug report as I assumed it was my inexperience mis-setting up the system, and not to mention but the pf-sense release was still beta. However, given the confusion above I've decided to make an account to document my experiences. I started with all default configs as far as I'm aware on the latest 2.4 BETA.
Upon adding a similar rule:
drop ip 79.140.192.0 any -> $HOME_NET any (msg:"BLOCKED Test Connection";)
I have found the same behaviour as James. Just to be clear, the address blocked is from a VPN that is completely independent of all local addresses encompassed in $HOME_NET.
I'm finding that on legacy mode I have Suricata working as expecting, blocking test connections from the VPN. In addition to this singular test address, other random botnets/probing connections (both IPv4 and v6) are dropped, as configured in the default rules.
However when switching to inline mode, I also experience that the above testing address is not blocked at all and connection attempts from it are allowed. In addition, regular IPv6 addresses are also blocked just like in legacy mode, however - be it coincidence or not - no IPv4 blocks are being shown on the log. It seems unlikely to me that this is because no rogue IPv4 connections are made to the server, as they were detected fairly frequently in Legacy mode. Thus, I suspect that these are not being picked up.
I imagine, as James mentioned, that the problem may revolve around this (being no IPv4 traffic being blocked), or as issue in default configurations. However as I said, I have little experience with Suricata, the little I have is only from testing it in the recent past. Therefore the problem may be more subtle, or James and I have fallen into the same trap whilst configuration so I am merely speculating.